feat(charts): add rhoso-apps helm chart and ci

Add Helm chart for Argo CD Applications (templates, values,
values.schema.json), and a path-filtered GitHub Actions workflow
(lint, template, package) with a TODO for publishing release
artifacts.

Refs: https://redhat.atlassian.net/browse/OSPRH-27658

AI-Assist: Cursor; model=Composer-2; mode=agent; origin=cursor
Made-with: Cursor

Author: cjeanner

.github/workflows/helm-chart.yml

@@ -0,0 +1,72 @@
+---
+# Validate charts/rhoso-apps: lint (incl. values.schema.json), helm-unittest,
+# kubeconform on rendered CRs, package.
+# TODO: When release process is defined, persist and publish the chart artifact
+# (rhoso-apps-<version>.tgz from `helm package`)—e.g. GitHub Release asset, Helm
+# HTTP repo, or OCI registry—for downloadable installs.
+name: helm-chart
+permissions:
+  contents: read
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "charts/**"
+      - ".github/workflows/helm-chart.yml"
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/**"
+      - ".github/workflows/helm-chart.yml"
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    env:
+      # Pin tool versions (kubeconform: https://github.com/yannh/kubeconform/releases)
+      KUBECONFORM_VERSION: v0.6.7
+      # helm-unittest plugin: https://github.com/helm-unittest/helm-unittest/releases
+      HELM_UNITTEST_VERSION: "0.7.0"
+      # Kubernetes OpenAPI for built-in kinds; Argo Application uses Datree CRDs-catalog.
+      KUBERNETES_SCHEMA_VERSION: "1.29.0"
+    defaults:
+      run:
+        working-directory: charts/rhoso-apps
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.16.3
+
+      - name: Install helm-unittest plugin
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}"
+
+      - name: Install kubeconform
+        run: |
+          set -euo pipefail
+          mkdir -p "${HOME}/.local/bin"
+          curl -sSL "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" | tar xz -C /tmp
+          mv /tmp/kubeconform "${HOME}/.local/bin/kubeconform"
+          echo "${HOME}/.local/bin" >> "${GITHUB_PATH}"
+
+      - name: Helm lint
+        run: helm lint . -f values.yaml
+
+      - name: Helm unittest
+        run: helm unittest .
+
+      - name: Helm template (kubeconform)
+        run: |
+          set -euo pipefail
+          helm template rhoso-apps-test . -f values.yaml | kubeconform -summary \
+            -kubernetes-version "${KUBERNETES_SCHEMA_VERSION}" \
+            -schema-location default \
+            -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json'
+
+      # Produces rhoso-apps-*.tgz; publishing is TODO until release workflow exists (see file header).
+      - name: Helm package
+        run: helm package .

.yamllint.yml

@@ -5,6 +5,8 @@ ignore:
   - '*.env'
   - '*.txt'
   - '*.sh'
+  # Helm templates are not valid YAML until rendered (Go templating).
+  - 'charts/**/templates/**'
 
 rules:
   line-length:

charts/rhoso-apps/.helmignore

@@ -0,0 +1,25 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# helm-unittest suites (not part of the packaged chart)
+tests/

charts/rhoso-apps/Chart.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: v2
+name: rhoso-apps
+description: Create and manage argocd applications to deploy RHOSO
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "18.0.17"

charts/rhoso-apps/README.md

@@ -0,0 +1,157 @@
+# rhoso-apps Helm chart
+
+This chart renders Argo CD `Application` resources to deploy Red Hat OpenStack Services on OpenShift (RHOSO) and related manifests from Git. Chart-wide defaults apply to every rendered application; each entry under `applications` is optional and can be toggled or overridden independently.
+
+## Chart-wide values
+
+| Key | Type | Description |
+|-----|------|-------------|
+| `applicationNamespace` | string | Namespace for the Argo CD `Application` CRs (`metadata.namespace`). Default: `openshift-gitops`. |
+| `destinationServer` | string | `spec.destination.server` for every application. Default: `https://kubernetes.default.svc`. |
+
+This chart does not set `spec.destination.namespace`; only `destination.server` is set (from `destinationServer`).
+
+## Per-application keys (`applications.<name>`)
+
+Each `<name>` is a unique key (DNS-1123). Set `enabled: true` to render that `Application`; set `enabled: false` to skip it.
+
+| Key | Type | Description |
+|-----|------|-------------|
+| `enabled` | bool | If `true`, render an `Application` CR; if `false`, skip. |
+| `repoURL` | string | `spec.source.repoURL` (Git URL). |
+| `path` | string | Directory in the repo; empty uses default `"."`. |
+| `targetRevision` | string | Branch, tag, or commit; empty uses default `"HEAD"`. |
+| `syncWave` | string | `argocd.argoproj.io/sync-wave` annotation. |
+| `syncOptions` | list | Optional strings merged into `spec.syncPolicy.syncOptions` (for example `Prune=true`). |
+| `kustomize` | map | Optional; passed to `spec.source.kustomize` (`namePrefix`, `patches`, `components`, etc.). See [Argo CD Kustomize](https://argo-cd.readthedocs.io/en/stable/user-guide/kustomize/). |
+| `finalizers` | list | `metadata.finalizers` (Argo CD resources finalizer). Valid: `resources-finalizer.argocd.argoproj.io/background` or `.../foreground`. Omit to use chart default (background). |
+| `project` | string | Argo CD `AppProject`; default `default` if unset. |
+| `syncPolicy` | map | Merged with `syncOptions` into `spec.syncPolicy`. |
+
+### Adding a new application
+
+Copy a block under `applications`, choose a unique key, set `enabled: true`, and set `repoURL`, `path`, and `targetRevision` as needed.
+
+### Default applications (from `values.yaml`)
+
+These entries ship enabled by default; each has a `syncWave` that defines Argo CD apply order (lower waves first).
+
+| Application | Purpose (summary) | Default `syncWave` |
+|-------------|---------------------|--------------------|
+| `operator-dependencies` | MetalLB, nmstate, cert-manager | `-20` |
+| `openstack-operator` | OpenStack operator | `-20` |
+| `openstack-operator-cr` | Main OpenStack custom resource | `-15` |
+| `openstack-secrets` | Vault secrets operator | `-10` |
+| `openstack-networks` | Control plane and dataplane networks | `0` |
+| `openstack-controlplane` | `OpenStackControlPlane` | `10` |
+| `openstack-dataplane` | Data plane node set and deployment | `20` |
+
+## Default application ordering (sync waves)
+
+Replace the placeholder below with a diagram of the default sync-wave ordering for the applications listed in `values.yaml`.
+
+```mermaid
+flowchart TD
+A["operator-dependencies (-20)"] --> C["openstack-operator-cr (-15)"]
+B["openstack-operator (-20)"] --> C["openstack-operator-cr (-15)"]
+C --> D["openstack-secrets (-10)"]
+D --> E["openstack-networks (0)"]
+E --> F["openstack-controlplane (10)"]
+F --> G["openstack-dataplane (20)"]
+```
+
+## Layered values and partial overrides
+
+Helm merges values files left to right: later files override earlier ones. Keep a **base** `values.yaml` (or your fork of the chart defaults) and add **environment** files that only change what differs (for example one Git revision, one path, or a single application).
+
+### Install with base + environment file
+
+```bash
+helm install deploy-rhoso . \
+  -f values.yaml \
+  -f values-prod.yaml
+```
+
+Use any release name and paths; `values-prod.yaml` can be minimal.
+
+### Example: override Git revision for all apps that share defaults
+
+`values-revision.yaml`:
+
+```yaml
+applications:
+  operator-dependencies:
+    targetRevision: main
+  openstack-operator:
+    targetRevision: main
+  openstack-operator-cr:
+    targetRevision: main
+  openstack-secrets:
+    targetRevision: main
+  openstack-networks:
+    targetRevision: main
+  openstack-controlplane:
+    targetRevision: main
+  openstack-dataplane:
+    targetRevision: main
+```
+
+```bash
+helm template deploy-rhoso . -f values.yaml -f values-revision.yaml
+```
+
+### Example: change only one application
+
+Disable or repoint a single app without repeating the rest of `values.yaml`:
+
+`values-disable-dataplane.yaml`:
+
+```yaml
+applications:
+  openstack-dataplane:
+    enabled: false
+```
+
+`values-custom-controlplane-path.yaml`:
+
+```yaml
+applications:
+  openstack-controlplane:
+    path: environments/prod/controlplane
+    targetRevision: v1.2.3
+```
+
+```bash
+helm install deploy-rhoso . -f values.yaml -f values-custom-controlplane-path.yaml
+```
+
+### Example: Kustomize overrides for one application
+
+`values-dev-prefix.yaml`:
+
+```yaml
+applications:
+  openstack-networks:
+    kustomize:
+      namePrefix: dev-
+```
+
+### Example: chart-wide + per-app in one overlay
+
+`values-staging.yaml`:
+
+```yaml
+destinationServer: https://kubernetes.default.svc
+applications:
+  openstack-operator:
+    targetRevision: staging
+  openstack-controlplane:
+    syncWave: "15"
+```
+
+Later keys win for the same path; unspecified keys under `applications.<name>` keep values from `values.yaml`.
+
+## See also
+
+- [Argo CD Application specification](https://argo-cd.readthedocs.io/en/stable/operator-manual/application-specification/)
+- Chart templates: `templates/application.yaml`, `templates/_helpers.tpl`

charts/rhoso-apps/templates/_helpers.tpl

@@ -0,0 +1,86 @@
+{{/*
+Namespace for Argo CD Application CRs (metadata.namespace).
+Pass root context ($) from inside range.
+*/}}
+{{- define "rhoso-apps.applicationNamespace" -}}
+{{- default "openshift-gitops" .Values.applicationNamespace | quote -}}
+{{- end }}
+
+{{/*
+Default Kubernetes API server URL for spec.destination.server.
+Pass root context ($) from inside range.
+*/}}
+{{- define "rhoso-apps.destinationServer" -}}
+{{- default "https://kubernetes.default.svc" .Values.destinationServer | quote -}}
+{{- end }}
+
+{{/*
+Argo CD AppProject name; empty string in values maps to "default".
+Pass dict with key "app" (per-application values map).
+*/}}
+{{- define "rhoso-apps.argocdProject" -}}
+{{- $app := .app -}}
+{{- default "default" $app.project | quote -}}
+{{- end }}
+
+{{/*
+Repository path under spec.source.path.
+*/}}
+{{- define "rhoso-apps.sourcePath" -}}
+{{- $app := .app -}}
+{{- default "." $app.path | quote -}}
+{{- end }}
+
+{{/*
+Git revision, branch, or tag for spec.source.targetRevision.
+*/}}
+{{- define "rhoso-apps.targetRevision" -}}
+{{- $app := .app -}}
+{{- default "HEAD" $app.targetRevision | quote -}}
+{{- end }}
+
+{{/*
+Optional spec.source.kustomize (Argo CD Kustomize overrides).
+Pass dict with key "app" (per-application values map). Omitted if unset, non-map, or empty map.
+*/}}
+{{- define "rhoso-apps.sourceKustomize" -}}
+{{- $app := .app -}}
+{{- $k := $app.kustomize | default dict }}
+{{- if not (kindIs "map" $k) }}
+{{- $k = dict }}
+{{- end }}
+{{- if not (empty $k) }}
+    kustomize:
+{{ toYaml $k | nindent 6 }}
+{{- end }}
+{{- end }}
+
+{{/*
+Merge syncPolicy map with optional syncOptions; emit spec.syncPolicy block or nothing.
+Pass dict with key "app" (per-application values map).
+*/}}
+{{- define "rhoso-apps.syncPolicySpec" -}}
+{{- $app := .app -}}
+{{- $merged := $app.syncPolicy | default dict }}
+{{- if not (kindIs "map" $merged) }}
+{{- $merged = dict }}
+{{- end }}
+{{- if and $app.syncOptions (not (empty $app.syncOptions)) }}
+{{- $merged = merge $merged (dict "syncOptions" $app.syncOptions) }}
+{{- end }}
+{{- if not (empty $merged) }}
+  syncPolicy:
+{{ toYaml $merged | indent 4 }}
+{{- end }}
+{{- end }}
+
+{{/*
+Argo CD Application metadata.finalizers (resources finalizer: background vs foreground).
+Omitted finalizers default to background deletion.
+Pass dict with key "app" (per-application values map).
+*/}}
+{{- define "rhoso-apps.applicationFinalizers" -}}
+{{- $app := .app -}}
+{{- $f := default (list "resources-finalizer.argocd.argoproj.io/background") $app.finalizers }}
+{{- toYaml $f -}}
+{{- end }}